Hello everyone,
I am trying to get sssd configured with ldap but having a little bit of trouble. I can successfully authenticate and get all user information and all that basic jazz. However when I set pwdReset in the user's entry on our ldap sssd is not prompting the user to reset their password. It's obvious from the sssd log for the domain (part included below) that sssd sees the attribute in the password policy control but the message is not making it back to PAM.
I have also included the config for the domain including some of my attempts to figure out if this is a configuration issue. Am I missing a setting? Have I found a bug? Whats going on here?
- Seth
some Pertinent Versions
CentOS 6 sssd 1.12.2 openldap 2.4.39
>>>>>>>>>>>>>>>>>> auth-people log
[find_password_expiration_attributes] (0x4000): No password policy requested. [simple_bind_send] (0x0100): Executing simple bind as: ***** [simple_bind_send] (0x2000): ldap simple bind sent, msgid = 2 [sdap_process_result] (0x2000): Trace: sh[0x136a340], connected[1], ops[0x1410460], ldap[0x1360050] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! [sdap_process_result] (0x2000): Trace: sh[0x136a340], connected[1], ops[0x1410460], ldap[0x1360050] [sdap_process_message] (0x4000): Message type: [LDAP_RES_BIND] [simple_bind_done] (0x2000): Server returned control [1.3.6.1.4.1.42.2.27.8.5.1]. [simple_bind_done] (0x1000): Password Policy Response: expire [0] grace [-1] error [Password must be changed]. [simple_bind_done] (0x1000): Password was reset. User must set a new password. [simple_bind_done] (0x0400): Bind result: Success(0), no errmsg set [auth_bind_user_done] (0x4000): Found ppolicy data, assuming LDAP password policies are active. [sdap_handle_release] (0x2000): Trace: sh[0x136a340], connected[1], ops[(nil)], ldap[0x1360050], destructor_lock[0], release_memory[0] [remove_connection_callback] (0x4000): Successfully removed connection callback. [be_pam_handler_callback] (0x0100): Backend returned: (0, 12, <NULL>) [Success] [be_pam_handler_callback] (0x0100): Sending result [12][auth-people] [be_pam_handler_callback] (0x0100): Sent result [12][auth-people]
>>>>>>>>>>>>>>> sssd.conf section for the domain
[domain/auth-people]
ldap_uri = ************ ldap_user_search_base = ou=people,********** ldap_group_search_base = ou=group,**********
ldap_id_use_start_tls = True ldap_tls_cacert = /etc/sssd/ca-certificate.pem
id_provider = ldap auth_provider = ldap chpass_provider = ldap access_provider = ldap selinux_provider = none
ldap_access_filter = (objectClass=posixAccount) ldap_access_order = filter
debug_level = 0xFFF0
[sssd] services = nss, pam config_file_version = 2
domains = auth-people,auth-systemAccounts debug = 0xFFF0
[nss] debug_level = 0xFFF0
[pam]
debug_level = 0xFFF0 pam_verbosity = 2
On (19/11/14 16:04), Seth Sims wrote:
Hello everyone,
I am trying to get sssd configured with ldap but having a little bit of trouble. I can successfully authenticate and get all user information and all that basic jazz. However when I set pwdReset in the user's entry on our ldap sssd is not prompting the user to reset their password. It's obvious from the sssd log for the domain (part included below) that sssd sees the attribute in the password policy control but the message is not making it back to PAM.
I have also included the config for the domain including some of my attempts to figure out if this is a configuration issue. Am I missing a setting? Have I found a bug? Whats going on here?
- Seth
some Pertinent Versions
CentOS 6 sssd 1.12.2 openldap 2.4.39
>>>>>>>>>>>>>>>>>>> auth-people log
[find_password_expiration_attributes] (0x4000): No password policy requested. [simple_bind_send] (0x0100): Executing simple bind as: ***** [simple_bind_send] (0x2000): ldap simple bind sent, msgid = 2 [sdap_process_result] (0x2000): Trace: sh[0x136a340], connected[1], ops[0x1410460], ldap[0x1360050] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! [sdap_process_result] (0x2000): Trace: sh[0x136a340], connected[1], ops[0x1410460], ldap[0x1360050] [sdap_process_message] (0x4000): Message type: [LDAP_RES_BIND] [simple_bind_done] (0x2000): Server returned control [1.3.6.1.4.1.42.2.27.8.5.1]. [simple_bind_done] (0x1000): Password Policy Response: expire [0] grace [-1] error [Password must be changed]. [simple_bind_done] (0x1000): Password was reset. User must set a new password. [simple_bind_done] (0x0400): Bind result: Success(0), no errmsg set [auth_bind_user_done] (0x4000): Found ppolicy data, assuming LDAP password policies are active. [sdap_handle_release] (0x2000): Trace: sh[0x136a340], connected[1], ops[(nil)], ldap[0x1360050], destructor_lock[0], release_memory[0] [remove_connection_callback] (0x4000): Successfully removed connection callback. [be_pam_handler_callback] (0x0100): Backend returned: (0, 12, <NULL>) [Success] [be_pam_handler_callback] (0x0100): Sending result [12][auth-people] [be_pam_handler_callback] (0x0100): Sent result [12][auth-people]
^^^ That's right pam error code.
From pam header files:
#define PAM_NEW_AUTHTOK_REQD 12 /* New authentication token required. */ /* This is normally returned if the */ /* machine security policies require */ /* that the password should be changed */ /* beccause the password is NULL or it */ /* has aged */
How did you test? (with ssh or with "su -") Could you share log files from pam section as well? /var/log/secure would be helpfull too.
How did you configure pam stack?
LS
sssd-users@lists.fedorahosted.org
-
Lukas Slebodnik -
Seth Sims